operator-framework
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 3 additions & 0 deletions b/‎go.sum‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/controller/operators/olm/operator.go‎
Lines changed: 7 additions & 5 deletions b/‎pkg/controller/operators/olm/operator.go‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎pkg/lib/apiserver/querier.go‎
Lines changed: 35 additions & 0 deletions b/‎pkg/lib/apiserver/querier.go‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎pkg/lib/apiserver/querier_test.go‎
Lines changed: 86 additions & 0 deletions b/‎pkg/lib/apiserver/querier_test.go‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎pkg/lib/apiserver/syncer.go‎
Lines changed: 212 additions & 0 deletions b/‎pkg/lib/apiserver/syncer.go‎
Lines changed: 212 additions & 0 deletions
@@ -20,6 +20,7 @@ require (
 	github.com/onsi/gomega v1.39.0
 	github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7
 	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
+	github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462
 	github.com/operator-framework/api v0.37.0
 	github.com/operator-framework/operator-registry v1.61.0
 	github.com/otiai10/copy v1.14.1
 
@@ -223,6 +223,7 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.7/go.mod h1:Pe7gBlGdc8clY5LJ0LpJXMt5AmgmWNH1g+oFFVUHOEc=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -322,6 +323,8 @@ github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7 h1:MemawsK6SpxEaE5y0
 github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY=
 github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
+github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462 h1:zX9Od4Jg8sVmwQLwk6Vd+BX7tcyC/462FVvDdzHEPPk=
+github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462/go.mod h1:nIzWQQE49XbiKizVnVOip9CEB7HJ0hoJwNi3g3YKnKc=
 github.com/operator-framework/api v0.37.0 h1:2XCMWitBnumtJTqzip6LQKUwpM2pXVlt3gkpdlkbaCE=
 github.com/operator-framework/api v0.37.0/go.mod h1:NZs4vB+Jiamyv3pdPDjZtuC4U7KX0eq4z2r5hKY5fUA=
 github.com/operator-framework/operator-registry v1.61.0 h1:LgX6lP5hUHfpMTMygsnySc7PKxibzqIoqWUm6NPWl2M=
 
@@ -57,6 +57,7 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/event"
 	index "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/index"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/labeler"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/openshiftconfig"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorlister"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
@@ -852,19 +853,20 @@ func newOperatorWithConfig(ctx context.Context, config *operatorConfig) (*Operat
 		return nil, err
 	}
 
-	// setup proxy env var injection policies
+	// Check if OpenShift config API is available (used by proxy and apiserver controllers)
 	discovery := config.operatorClient.KubernetesInterface().Discovery()
-	proxyAPIExists, err := proxy.IsAPIAvailable(discovery)
+	openshiftConfigAPIExists, err := openshiftconfig.IsAPIAvailable(discovery)
 	if err != nil {
-		op.logger.Errorf("error happened while probing for Proxy API support - %v", err)
+		op.logger.Errorf("error happened while probing for OpenShift config API support - %v", err)
 		return nil, err
 	}
 
+	// setup proxy env var injection policies
 	proxyQuerierInUse := proxy.NoopQuerier()
-	if proxyAPIExists {
+	if openshiftConfigAPIExists {
 		op.logger.Info("OpenShift Proxy API  available - setting up watch for Proxy type")
 
-		proxyInformer, proxySyncer, proxyQuerier, err := proxy.NewSyncer(op.logger, config.configClient, discovery)
+		proxyInformer, proxySyncer, proxyQuerier, err := proxy.NewSyncer(op.logger, config.configClient)
 		if err != nil {
 			err = fmt.Errorf("failed to initialize syncer for Proxy type - %v", err)
 			return nil, err
 
@@ -0,0 +1,35 @@
+package apiserver
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+// NoopQuerier returns an instance of noopQuerier. It's used for upstream where
+// we don't have any apiserver.config.openshift.io/cluster resource.
+func NoopQuerier() Querier {
+	return &noopQuerier{}
+}
+
+// Querier is an interface that wraps the QueryTLSConfig method.
+//
+// QueryTLSConfig updates the provided TLS configuration with cluster-wide
+// TLS security profile settings (MinVersion, CipherSuites, PreferServerCipherSuites).
+type Querier interface {
+	QueryTLSConfig(config *tls.Config) error
+}
+
+type noopQuerier struct {
+}
+
+// QueryTLSConfig applies secure default TLS settings to the provided config.
+// This is used on non-OpenShift clusters where there is no apiserver.config.openshift.io/cluster resource,
+// but we still want to ensure secure TLS configuration.
+func (*noopQuerier) QueryTLSConfig(config *tls.Config) error {
+	if config == nil {
+		return fmt.Errorf("tls.Config cannot be nil")
+	}
+
+	// Apply secure defaults for non-OpenShift clusters
+	return ApplySecureDefaults(config)
+}
@@ -0,0 +1,86 @@
+package apiserver_test
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNoopQuerier_QueryTLSConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		config      *tls.Config
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name:        "WithNilConfig",
+			config:      nil,
+			expectError: true,
+			errorMsg:    "tls.Config cannot be nil",
+		},
+		{
+			name:        "WithEmptyConfig",
+			config:      &tls.Config{},
+			expectError: false,
+		},
+		{
+			name: "WithPartialConfig",
+			config: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			querier := apiserver.NoopQuerier()
+			err := querier.QueryTLSConfig(tt.config)
+
+			if tt.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errorMsg)
+			} else {
+				require.NoError(t, err)
+				// Verify secure defaults are applied
+				assert.NotZero(t, tt.config.MinVersion, "MinVersion should be set to a default")
+				assert.NotEmpty(t, tt.config.CipherSuites, "CipherSuites should be set to defaults")
+				assert.True(t, tt.config.PreferServerCipherSuites, "PreferServerCipherSuites should be true")
+			}
+		})
+	}
+}
+
+func TestNoopQuerier_AppliesSecureDefaults(t *testing.T) {
+	querier := apiserver.NoopQuerier()
+	config := &tls.Config{}
+
+	err := querier.QueryTLSConfig(config)
+	require.NoError(t, err)
+
+	// Verify secure defaults
+	assert.GreaterOrEqual(t, config.MinVersion, uint16(tls.VersionTLS12), "Should use at least TLS 1.2")
+	assert.NotEmpty(t, config.CipherSuites, "Should have cipher suites configured")
+
+	// Verify cipher suites are valid
+	for _, cipher := range config.CipherSuites {
+		assert.NotZero(t, cipher, "Cipher suite should not be zero")
+	}
+}
+
+func TestNoopQuerier_DoesNotOverwriteNonZeroMinVersion(t *testing.T) {
+	querier := apiserver.NoopQuerier()
+	config := &tls.Config{
+		MinVersion: tls.VersionTLS13,
+	}
+
+	err := querier.QueryTLSConfig(config)
+	require.NoError(t, err)
+
+	// MinVersion should be preserved if already set
+	assert.Equal(t, uint16(tls.VersionTLS13), config.MinVersion, "Should preserve existing MinVersion")
+}
@@ -0,0 +1,212 @@
+package apiserver
+
+import (
+	"crypto/tls"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/openshift/client-go/config/informers/externalversions"
+
+	apiconfigv1 "github.com/openshift/api/config/v1"
+	configv1client "github.com/openshift/client-go/config/clientset/versioned"
+	configv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1"
+	"github.com/sirupsen/logrus"
+	"k8s.io/client-go/tools/cache"
+)
+
+const (
+	// This is the cluster level global apiserver.config.openshift.io/cluster object name.
+	globalAPIServerName = "cluster"
+
+	// default sync interval
+	defaultSyncInterval = 30 * time.Minute
+)
+
+// NewSyncer returns informer and sync functions to enable watch of the apiserver.config.openshift.io/cluster resource.
+func NewSyncer(logger *logrus.Logger, client configv1client.Interface) (apiServerInformer configv1.APIServerInformer, syncer *Syncer, querier Querier, factory externalversions.SharedInformerFactory, err error) {
+	factory = externalversions.NewSharedInformerFactoryWithOptions(client, defaultSyncInterval)
+	apiServerInformer = factory.Config().V1().APIServers()
+	s := &Syncer{
+		logger:        logger,
+		currentConfig: newTLSConfigHolder(),
+	}
+
+	syncer = s
+	querier = s
+	return
+}
+
+// RegisterEventHandlers registers event handlers for apiserver.config.openshift.io/cluster resource changes.
+// This is a convenience function to set up Add/Update/Delete handlers that call
+// the syncer's SyncAPIServer and HandleAPIServerDelete methods.
+func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer) {
+	informer.Informer().AddEventHandler(&cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			if err := syncer.SyncAPIServer(obj); err != nil {
+				syncer.logger.WithError(err).Error("error syncing APIServer on add")
+			}
+		},
+		UpdateFunc: func(_, newObj interface{}) {
+			if err := syncer.SyncAPIServer(newObj); err != nil {
+				syncer.logger.WithError(err).Error("error syncing APIServer on update")
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			syncer.HandleAPIServerDelete(obj)
+		},
+	})
+}
+
+// Syncer deals with watching APIServer type(s) on the cluster and let the caller
+// query for cluster scoped APIServer TLS configuration.
+type Syncer struct {
+	logger        *logrus.Logger
+	currentConfig *tlsConfigHolder
+}
+
+// tlsConfigHolder holds TLS configuration in a thread-safe manner.
+// It always contains a valid configuration with secure defaults.
+type tlsConfigHolder struct {
+	mu     sync.RWMutex
+	config tls.Config
+}
+
+// newTLSConfigHolder creates a new holder initialized with secure defaults.
+func newTLSConfigHolder() *tlsConfigHolder {
+	h := &tlsConfigHolder{}
+	// Initialize with secure defaults
+	_ = ApplySecureDefaults(&h.config)
+	return h
+}
+
+// update atomically updates the stored TLS configuration.
+func (h *tlsConfigHolder) update(minVersion uint16, cipherSuites []uint16) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	h.config.MinVersion = minVersion
+	// Make a defensive copy of the slice
+	h.config.CipherSuites = make([]uint16, len(cipherSuites))
+	copy(h.config.CipherSuites, cipherSuites)
+	h.config.PreferServerCipherSuites = true
+}
+
+// copyTo atomically copies the cached TLS settings to the provided config.
+// All reading and copying happens under the read lock, ensuring thread safety.
+func (h *tlsConfigHolder) copyTo(config *tls.Config) {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+
+	// Copy all fields while holding the lock
+	config.MinVersion = h.config.MinVersion
+	config.CipherSuites = make([]uint16, len(h.config.CipherSuites))
+	copy(config.CipherSuites, h.config.CipherSuites)
+	config.PreferServerCipherSuites = h.config.PreferServerCipherSuites
+}
+
+// QueryTLSConfig queries the global cluster level APIServer object and updates
+// the provided TLS configuration with the cluster-wide security profile settings.
+func (w *Syncer) QueryTLSConfig(config *tls.Config) error {
+	if config == nil {
+		return fmt.Errorf("tls.Config cannot be nil")
+	}
+
+	// Copy the current cached config atomically
+	// This always succeeds because currentConfig always has a valid value
+	w.currentConfig.copyTo(config)
+	return nil
+}
+
+// SyncAPIServer is invoked when a cluster scoped APIServer object is added or modified.
+func (w *Syncer) SyncAPIServer(object interface{}) error {
+	apiserver, ok := object.(*apiconfigv1.APIServer)
+	if !ok {
+		w.logger.Error("wrong type in APIServer syncer")
+		return nil
+	}
+
+	// Convert the TLS security profile to get new settings
+	minVersion, cipherSuites := GetSecurityProfileConfig(apiserver.Spec.TLSSecurityProfile)
+
+	// Check if configuration changed (before updating)
+	changed := w.hasConfigChanged(minVersion, cipherSuites)
+
+	// Update the stored configuration atomically
+	w.currentConfig.update(minVersion, cipherSuites)
+
+	// Log if configuration changed
+	if changed {
+		profileName := getProfileName(apiserver.Spec.TLSSecurityProfile)
+		w.logger.Infof("APIServer TLS configuration changed: profile=%s, minVersion=%s, cipherCount=%d",
+			profileName,
+			tlsVersionToString(minVersion),
+			len(cipherSuites))
+	}
+
+	return nil
+}
+
+// HandleAPIServerDelete is invoked when a cluster scoped APIServer object is deleted.
+func (w *Syncer) HandleAPIServerDelete(object interface{}) {
+	_, ok := object.(*apiconfigv1.APIServer)
+	if !ok {
+		w.logger.Error("wrong type in APIServer delete syncer")
+		return
+	}
+
+	// Reset to secure defaults (Intermediate profile)
+	w.currentConfig.update(GetSecurityProfileConfig(nil))
+
+	w.logger.Info("APIServer TLS configuration deleted, reverted to secure defaults")
+	return
+}
+
+// hasConfigChanged checks if the new TLS settings differ from the current cached settings.
+func (w *Syncer) hasConfigChanged(minVersion uint16, cipherSuites []uint16) bool {
+	w.currentConfig.mu.RLock()
+	defer w.currentConfig.mu.RUnlock()
+
+	if w.currentConfig.config.MinVersion != minVersion {
+		return true
+	}
+	if len(w.currentConfig.config.CipherSuites) != len(cipherSuites) {
+		return true
+	}
+	for i := range cipherSuites {
+		if w.currentConfig.config.CipherSuites[i] != cipherSuites[i] {
+			return true
+		}
+	}
+	return false
+}
+
+// getProfileName returns the TLS security profile name for logging.
+func getProfileName(profile *apiconfigv1.TLSSecurityProfile) string {
+	if profile == nil {
+		return "Intermediate (default)"
+	}
+
+	profileType := string(profile.Type)
+	if profileType == "" {
+		return "Intermediate (default)"
+	}
+
+	return profileType
+}
+
+// tlsVersionToString converts a TLS version number to a string
+func tlsVersionToString(version uint16) string {
+	switch version {
+	case tls.VersionTLS10:
+		return "TLS 1.0"
+	case tls.VersionTLS11:
+		return "TLS 1.1"
+	case tls.VersionTLS12:
+		return "TLS 1.2"
+	case tls.VersionTLS13:
+		return "TLS 1.3"
+	default:
+		return "unknown"
+	}
+}